Guest Feedback AI

Hotel Guest Feedback AI: FTC Review Rules, GDPR Survey Consent & TCPA Compliance

Updated: February 2026FTC 16 CFR 255 • GDPR Art. 6 LIA • TCPA SMS • UK CMA CAP Code • CCPA

84%

Consumers trust online reviews as much as personal recommendations (BrightLocal 2024)

£145K

FTC fine to Lord & Taylor for undisclosed paid reviews (precedent for hotels)

4.3x

Revenue uplift for hotels responding to reviews within 24 hrs (TripAdvisor data)

GDPR Art.6

Lawful basis required for every guest survey email sent post-stay

REGULATORY RISK:The FTC's revised Endorsement Guides (16 CFR Part 255, August 2023) explicitly prohibit hotels from offering discounts, upgrades, or loyalty points in exchange for positive reviews without clear disclosure. The UK Competition and Markets Authority (CMA) issued formal guidance in 2022 warning hotel groups against suppressing negative reviews, cherry-picking testimonials, or paying for fake reviews — all of which constitute violations of the Consumer Protection from Unfair Trading Regulations 2008. GDPR adds a consent/legitimate interest requirement for every post-stay survey email sent to EU guests.

Section 1

Guest Feedback: Where Reputation Meets Regulation

KEY ENFORCEMENT — FTC Endorsement Guides & UK ASA Review Compliance

US Rule

FTC 16 CFR Part 255 — Revised 2023

Risk

Undisclosed incentivised reviews = deceptive advertising

UK Rule

ASA CAP Code / CMA Consumer Protection from Unfair Trading Regs 2008

Hotel Exposure

Up to £300K per ASA/CMA enforcement action

Online reviews directly influence 81% of hotel booking decisions (PhoCusWright). TripAdvisor, Google, and Booking.com collectively host over 900 million hospitality reviews. Yet guest feedback management has become a regulatory minefield: the FTC (US), CMA (UK), ACCC (Australia), and EU/national consumer protection authorities all enforce rules against fake, suppressed, or undisclosed-incentive reviews. Simultaneously, GDPR Article 6 requires a lawful basis for post-stay survey emails, and TCPA/CTIA regulations govern SMS feedback requests in the US.

FTC Deceptive Review Practices

Offering loyalty points, discounts, or upgrades for positive reviews without disclosure violates 16 CFR Part 255. FTC's 2023 revision added penalties up to $50,120 per violation for reviewers and companies alike.

GDPR Post-Stay Survey Consent

Emailing guests a satisfaction survey requires either prior consent (Art. 6(1)(a)) or legitimate interest assessment (Art. 6(1)(f)) with opt-out. ICO guidance (2022) warns that bulk survey emails sent without a recorded lawful basis breach UK GDPR.

TCPA SMS Feedback Requests

SMS satisfaction requests require prior express written consent under TCPA (47 USC 227). Class action exposure: $500–$1,500 per unsolicited text message. Hotels must maintain consent records for each mobile number.

Section 2

Regulatory Framework for Guest Reviews and Surveys

FTC Endorsement Guides (16 CFR Part 255, Revised 2023)

The FTC's August 2023 revision to the Endorsement Guides introduced: (1) explicit prohibition on offering compensation or incentives for reviews without clear disclosure; (2) ban on companies suppressing negative reviews while publishing only positive ones; (3) prohibition on buying fake reviews or using insider review networks; (4) civil penalties up to $50,120 per violation for knowing violations. Hotels that prompt guests for reviews via email or app without disclosing any incentive tied to the request violate these guides.

UK CMA & ASA Review Enforcement

The UK Competition and Markets Authority's 2022 hotel investigation resulted in undertakings from major OTAs and hotel groups. The ASA CAP Code (Rules 3.1, 3.45) prohibits misleading testimonials and requires disclosure of any commercial relationship. The Consumer Protection from Unfair Trading Regulations 2008 (CPRs) treat fake reviews and selective publication as 'misleading commercial practices' — enforceable with unlimited fines and director liability.

GDPR Article 6 for Feedback Data

Guest satisfaction surveys collect personal data (email address, stay experience, preferences). GDPR Article 6 requires a documented lawful basis. Legitimate interest (Art. 6(1)(f)) is the most common basis for post-stay surveys, but requires a three-part test: legitimate purpose, necessity, and balance against guest interests. The ICO recommends a Legitimate Interest Assessment (LIA) on file before deploying survey programmes. Retention of survey data beyond aggregation for analytics purposes requires a separate basis.

TRIPADVISOR & GOOGLE REVIEW GATING:The practice of 'review gating' — only asking satisfied guests for public reviews while routing dissatisfied guests to private feedback channels — violates TripAdvisor's Review Integrity Programme and was cited in FTC's 2023 guidance as a form of selective endorsement. Hotels using AI review-request tools must send requests to all guests equally, without pre-screening satisfaction scores.

Section 3

How Claire Manages Compliant Guest Feedback

Claire Guest Feedback AI Capabilities

✓

GDPR-Compliant Survey Dispatch: Checks lawful basis record before sending post-stay survey; logs legitimate interest assessment; supports consent-based and opt-out workflows.

✓

FTC Disclosure Enforcement: Automatically appends required disclosure language to review request messages where any incentive is offered; blocks non-compliant incentive programs.

✓

TCPA Consent Verification: Validates mobile consent records before SMS survey dispatch; maintains opt-out registry; logs consent with timestamp and IP for litigation defence.

✓

Anti-Review-Gating Logic: Sends review requests to all guests meeting threshold criteria; prevents routing by satisfaction score; generates equal-distribution audit reports.

✓

Sentiment Analysis & Triage: AI processes feedback at scale; routes safety complaints (food poisoning, injury) to risk management within 15 minutes; tracks OSHA-relevant incidents.

✓

Response Compliance Monitor: Flags management responses that contain defamatory statements, privacy-violating guest data references, or FTC-prohibited statements before publication.

Section 4

Guest Feedback Compliance Checklist

GDPR Lawful Basis for Surveys:Document legitimate interest assessment or consent for post-stay email surveys; include survey purpose in privacy notice.
TCPA SMS Consent Records:Maintain timestamped prior express written consent for each mobile number before sending SMS satisfaction requests.
FTC Disclosure Language:Any review request tied to an incentive must include clear, conspicuous disclosure per 16 CFR Part 255 (2023 revision).
Anti-Gating Survey Distribution:Send review requests to all eligible guests; do not pre-screen by satisfaction score before routing to public platforms.
UK CMA/ASA Compliance:Do not suppress negative reviews; maintain equal publication policy for UK-facing platforms per CPR 2008 and ASA CAP Code.
Review Response Privacy Screen:Ensure management responses do not include guest PII (room number, booking details) that could identify the reviewer.
Survey Data Retention Limit:Define maximum retention for individual survey responses (recommend 24 months); aggregate analytics data separately.
Negative Feedback Escalation:Route food safety, injury, and harassment complaints to designated risk management within 1 hour; log escalation for OSHA/liability purposes.
Third-Party Review Platform DPA:Ensure Data Processing Agreements with survey vendors (Medallia, Revinate, TrustYou) are current and include GDPR Article 28 provisions.
CCPA Survey Data Rights:Include survey data in CCPA personal information disclosure; honour deletion requests for individual survey responses within 45 days.

Section 5

Frequently Asked Questions

Can we offer loyalty points in exchange for a TripAdvisor review?

Yes, but only with full disclosure. FTC 16 CFR Part 255 (2023) and TripAdvisor's Review Integrity Programme both require clear disclosure if any incentive is linked to a review request. The disclosure must appear in the same message as the review request, be conspicuous, and not be conditional on a positive review. Offering points only for positive reviews is explicitly prohibited.

Do we need consent to email guests a satisfaction survey?

Under GDPR, you need a documented lawful basis — either prior consent or a Legitimate Interest Assessment (LIA). UK ICO guidance accepts legitimate interest for post-stay surveys from existing customers if the survey is directly related to the stay, the guest was informed at booking, and an easy opt-out is provided. The LIA must be documented before the survey programme launches.

What is 'review gating' and why is it illegal?

Review gating is the practice of routing guests through a pre-screening question (e.g., 'How was your stay?') and only directing satisfied guests to public review platforms like Google or TripAdvisor. The FTC's 2023 Endorsement Guides and TripAdvisor's Content Integrity Policy both prohibit this practice as it creates a misleadingly positive public profile. Hotels must send review invitations to all guests without pre-screening.

How do TCPA rules apply to SMS post-stay surveys?

The Telephone Consumer Protection Act (47 USC 227) and FCC regulations require prior express written consent before sending marketing or survey text messages to US mobile numbers. Consent must be signed (electronic is acceptable), describe the types of messages, and be retained. Each non-compliant SMS can generate $500–$1,500 in statutory damages in class actions, making a missing consent record extremely costly.

What happens if a guest review mentions a food safety incident?

A guest review describing food poisoning or illness is a potential foodborne illness report that triggers FDA and state health department reporting obligations in many jurisdictions. Hotels must route such reviews to their food safety officer within 1 hour, document the complaint, investigate, and report to local health authorities if a pattern emerges. Failure to act creates negligence liability separate from the regulatory risk.